[Snort-users] RE: Difficulty setting HOME_NET to my interface address

L. Christopher Luther

unread,

Feb 14, 2003, 2:48:45 PM2/14/03

to

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2D45B.3F13CD50
Content-Type: text/plain;
charset="iso-8859-1"

The HOME_NET variable in snort.conf does not except the value of the
interface name; it is designed to use the IP network for which your computer
is a member. For example:

var HOME_NET 10.1.3.0/24 [to specify an entire Class C network]
var HOME_NET 192.168.0.1/32 [to specify a single host as the 'network']

Or any variation of thereof.

The problem you're faced with is the ever changing IP address that your
cable provider gives you. There is not much you can do about this, except
obtain a statis IP address or ask your cable provider for longer DHCP lease.
I've got a 180-day DHCP lease from my cable provider.

Also, depending on the O/S you're using for your Snort sensor, you may be
able to cobble together a script that periodically queries the Snort sensor
to detect an IP change, then modify the snort.conf file, and restart Snort.

My $0.02 ...

Christopher

-----Original Message-----
Message: 1
From: "Charles Darwin" <dar...@netmadeira.com>
To: <Snort...@lists.sourceforge.net>
Date: Fri, 14 Feb 2003 01:33:09 -0000
Subject: [Snort-users] Difficulty setting HOME_NET to my interface address

I'm having great difficulty doing this, because snort.config does not =
seems to accept my interface name when setting HOME_NET.
As a cable modem user I've great interest on doing this, as my IP =
changes oftenly.

Doing snort -W I get a list of my interfaces:

Interface Device Description
-------------------------------------------
1 \Device\NPF_NdisWanIp (NdisWan Adapter (Microsoft's Packet Scheduler) =
)
2 \Device\NPF_NdisWanIpx (NdisWan Adapter)
3 \Device\NPF_NdisWanBh (NdisWan Adapter (Microsoft's Packet Scheduler) =
)
4 \Device\NPF_{B42CDDC9-B4BB-42BB-86A5-456FB6192510} (Realtek =
8139-series PCI NI
C (Microsoft's =
Packet Sche
duler) )
5 \Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB} (Realtek =
8139-series PCI NI
C (Microsoft's =
Packet Sche
duler) )

The interface I want is the 5.

Then on snort.conf I write:

var HOME_NET $\Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB}_ADDRESS =

(line 48)

then snort -T

the result is:

------------------------------------
C:\Snort>snort -T
Initializing Output Plugins!
Log directory = log

Initializing Network Interface \
using config file ./snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (./snort.conf:48):
Fatal Error, Quitting..
----------------------------------------

Does anyone have an ideia of what I'm doing wrong?

Kind regards,

Paulo Santos Perneta <pper...@netmadeira.com>

------_=_NextPart_001_01C2D45B.3F13CD50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Difficulty setting HOME_NET to my interface address</TITLE>
</HEAD>
<BODY>

The HOME_NET variable in snort.conf does not except =
the value of the interface name; it is designed to use the IP network =
for which your computer is a member.  For example:  =

var HOME_NET =
10.1.3.0/24     [to specify an entire Class C =
network]
    var HOME_NET 192.168.0.1/32  [to =
specify a single host as the 'network']

Or any variation of thereof.

The problem you're faced with is the ever changing IP =
address that your cable provider gives you.  There is not much you =
can do about this, except obtain a statis IP address or ask your cable =
provider for longer DHCP lease.  I've got a 180-day DHCP lease =
from my cable provider.

Also, depending on the O/S you're using for your =
Snort sensor, you may be able to cobble together a script that =
periodically queries the Snort sensor to detect an IP change, then =
modify the snort.conf file, and restart Snort.

My $0.02 ...

Christopher

-----Original Message-----
 Message: 1
 From: "Charles Darwin" =
<dar...@netmadeira.com>
 To: <Snort...@lists.sourceforge.net>
 Date: Fri, 14 Feb 2003 01:33:09 -0000
 Subject: [Snort-users] Difficulty setting HOME_NET =
to my interface address

I'm having great difficulty doing this, because =
snort.config does not =3D
 seems to accept my interface name when setting =
HOME_NET.
 As a cable modem user I've great interest on doing =
this, as my IP =3D
 changes oftenly.

Doing snort -W I get a list of my interfaces:

Interface       =
Device          =
Description
 -------------------------------------------
 1  \Device\NPF_NdisWanIp (NdisWan Adapter =
(Microsoft's Packet Scheduler) =3D
 )
 2 \Device\NPF_NdisWanIpx (NdisWan Adapter)
 3 \Device\NPF_NdisWanBh (NdisWan Adapter =
(Microsoft's Packet Scheduler) =3D
 )
 4 \Device\NPF_{B42CDDC9-B4BB-42BB-86A5-456FB6192510} =
(Realtek =3D
 8139-series PCI NI
 C          &n=
bsp;           &n=
bsp;           &n=
bsp;           &n=
bsp;        (Microsoft's =3D
 Packet Sche
 duler) )
 5 \Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB} =
(Realtek =3D
 8139-series PCI NI
 C          &n=
bsp;           &n=
bsp;           &n=
bsp;           &n=
bsp;        (Microsoft's =3D
 Packet Sche
 duler) )

The interface I want is the 5.

Then on snort.conf I write:

var HOME_NET =
$\Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB}_ADDRESS =3D

(line 48)

then snort -T

the result is:

------------------------------------
 C:\Snort>snort  -T
 Initializing Output Plugins!
 Log directory =3D log

Initializing Network Interface \
 using config file ./snort.conf
 Initializing Preprocessors!
 Initializing Plug-ins!
 Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
 Initializing rule chains...
 ERROR =3D> Undefined variable name: =
(./snort.conf:48):
 Fatal Error, Quitting..
 ----------------------------------------

Does anyone have an ideia of what I'm doing =
wrong?

Kind regards,

Paulo Santos Perneta =
<pper...@netmadeira.com>

</BODY>
</HTML>
------_=_NextPart_001_01C2D45B.3F13CD50--

-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Charles Darwin

unread,

Feb 14, 2003, 8:46:56 PM2/14/03

to

The problem is it does not seems to accept the interface name...
Any ideia why is this happening?
(I checked with snort -W already and even made it appent the interface name
to the alerts to confirm, but still does not work :-\)

Paulo Santos Perneta <pper...@netmadeira.com>

> ----- Original Message -----
> From: "Erek Adams" <er...@snort.org>
> >
> > Actually, it _can_ take your interface name.
> >
> > For example:
> >
> > var HOME_NET $eth0_ADDRESS
> >
> > Check the FAQ for the answer [0].
> >
> > Now since he's on a Win32 platform this may not be working as it
should...
> > This will take some looking into.

L. Christopher Luther

unread,

Feb 15, 2003, 1:29:27 AM2/15/03

to

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2D4B4.48803A00
Content-Type: text/plain;
charset="windows-1252"

Based on Erek Adams' post, I posted an update to my original reply --
basically, I'm thinking there's an anomaly w/ Snort handling interface names
that contain '\' characters.

However, as a simple answer to your question (see below), you could write a
CMD script that runs the XP ipconfig command, greps the 'IP Address'
information (PERL is good for this), and uses the IP address information to
generate a new snort.conf. Possibly by concatenating 'pieces' of various
text files together. For example, the flow of your CMD script *might* look
something like this:

ipconfig | grep "IP Address" > ip.txt
perl getip.pl < ip.txt
copy snort.conf.hdr + home_net.txt + snort.conf.tail
c:\bin\snort\snort.conf
kill snort
snort [some command line options]

(note 1: I can send you a nice Win32 port of grep if you don't have
one)
(note 2: getip.pl creates a home_net.txt file that contains "var
HOME_NET some-ip-address)
(note 3: You write getip.pl)
(note 4: sysinternals.com has a nice 'kill' utility called 'pskill')

Of course, there are other utils/scripts which one could use to dynamically
generate a new snort.conf file, and unfortunately for us Win32 folks, most
of the utils/scripts that have been written are *nix based. :{

Cheers!
- Christopher

-----Original Message-----
From: Paulo Santos Perneta [mailto:pper...@netmadeira.com]
Sent: Friday, February 14, 2003 7:51 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: Re: Difficulty setting HOME_NET to my interface address

I'm running Win XP currently.

I was thinking in something like detect the traffic between my machine and
the DHCP, and when detected a change of IP actualize the var $HOME_NET.

Is this possible to do with the snort rules?

Thanks for your help.

Paulo Santos Perneta <pper...@netmadeira.com>

----- Original Message -----
From: L. Christopher Luther

Also, depending on the O/S you're using for your Snort sensor, you may be
able to cobble together a script that periodically queries the Snort sensor
to detect an IP change, then modify the snort.conf file, and restart Snort.

------_=_NextPart_001_01C2D4B4.48803A00
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =

charset=3Dwindows-1252">

<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Difficulty setting HOME_NET to my interface address</TITLE>
</HEAD>
<BODY>

Based on Erek Adams' post, I posted an update to my =
original reply -- basically, I'm thinking there's an anomaly w/ Snort =
handling interface names that contain '\' characters.

However, as a simple answer to your question (see =
below), you could write a CMD script that runs the XP ipconfig command, =
greps the 'IP Address' information (PERL is good for this), and uses =
the IP address information to generate a new snort.conf.  Possibly =
by concatenating 'pieces' of various text files together.  For =
example, the flow of your CMD script *might* look something like =
this:

ipconfig | =
grep "IP Address" > ip.txt
         perl =
getip.pl < ip.txt
         copy =
snort.conf.hdr + home_net.txt + snort.conf.tail =
c:\bin\snort\snort.conf
         kill =
snort
         snort =
[some command line options]

(note 1: I =
can send you a nice Win32 port of grep if you don't have one)
         (note 2: =
getip.pl creates a home_net.txt file that contains "var HOME_NET =
some-ip-address)
         (note 3: =
You write getip.pl) 
         (note 4: =
sysinternals.com has a nice 'kill' utility called 'pskill')  =

Of course, there are other utils/scripts which one =
could use to dynamically generate a new snort.conf file, and =
unfortunately for us Win32 folks, most of the utils/scripts that have =
been written are *nix based. :{

Cheers!
 - Christopher

-----Original Message-----

From: Paulo Santos Perneta [<A =
HREF=3D"mailto:pper...@netmadeira.com">mailto:pper...@netmadeira.com</=
A>]
 Sent: Friday, February 14, 2003 7:51 PM
 To: L. Christopher Luther
 Cc: Snort-Users (E-mail)
 Subject: Re: Difficulty setting HOME_NET to my =

interface address

I'm running Win XP currently.

I was thinking in something like detect the traffic =
between my machine and the DHCP, and when detected a change of IP =
actualize the var $HOME_NET.

Is this possible to do with the snort rules?

Thanks for your help.

Paulo Santos Perneta =
<pper...@netmadeira.com>

----- Original Message ----- 
 From: L. Christopher Luther

Also, depending on the O/S you're using for your =
Snort sensor, you may be able to cobble together a script that =
periodically queries the Snort sensor to detect an IP change, then =
modify the snort.conf file, and restart Snort.

</BODY>
</HTML>
------_=_NextPart_001_01C2D4B4.48803A00--

Paulo Santos Perneta

unread,

Feb 15, 2003, 9:48:31 AM2/15/03

to

The problem is it does not seems to accept the interface name...
Any ideia why is this happening?
(I checked with snort -W already and even made it appent the interface name
to the alerts to confirm, but still does not work :-\)

Paulo Santos Perneta <pper...@netmadeira.com>

----- Original Message -----
From: "Erek Adams" <er...@snort.org>
>
> Actually, it _can_ take your interface name.
>
> For example:
>
> var HOME_NET $eth0_ADDRESS
>
> Check the FAQ for the answer [0].
>
> Now since he's on a Win32 platform this may not be working as it should...
> This will take some looking into.
>

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

Chris Reid

unread,

Feb 16, 2003, 5:47:08 PM2/16/03

to

The problem was two-fold.

First, pcap represents the interfaces differently, depending on whether it
is a *nix flavour versus Win32. The parameter being passed into
DefineIfaceVar() under Win32 was actually treated as an empty string. So
under Win32, snort is currently creating a variable called $_ADDRESS, with
the correct information. (Under *nix, this would be something equivalent to
$eth0_ADDRESS). I have corrected this in snort 2.0. I'll test and update
1.9 later tonight.

Second, snort doesn't allow non-standard characters in variable names,
unless you "quote" the name using parentheses. Non-standard characters
include backslash, curly braces and hyphens. All of these appear in the
Win32 interface name. So, you need to "quote" the variable name, such as
(using an example from a previous message in this thread):

var HOME_NET
$(\Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB}_ADDRESS)

So, if you are using an existing snort distribution from before today, use
$_ADDRESS. If you update your source code as of today, from either a daily
tarball, or by grabbing source from CVS, use the "quoting" with parentheses.

Chris Reid

----- Original Message -----
From: "Erek Adams" <er...@snort.org>

To: "Charles Darwin" <dar...@netmadeira.com>
Cc: "Snort-Users (E-mail)" <snort...@lists.sourceforge.net>
Sent: Saturday, February 15, 2003 8:55 AM
Subject: Re: [Snort-users] RE: Difficulty setting HOME_NET to my interface
address

> On Sat, 15 Feb 2003, Charles Darwin wrote:
>
> > The problem is it does not seems to accept the interface name...
> > Any ideia why is this happening?
> > (I checked with snort -W already and even made it appent the interface
name
> > to the alerts to confirm, but still does not work :-\)
>

> Right. There seems to be some horkage with Win32 and the interface name.
> I can't verify/troubleshoot as I don't have a Win32 box. :-)
>
> I'll bounce it to the Win32 folks.
>
> -----
> Erek Adams
>
> "When things get weird, the weird turn pro." H.S. Thompson

Charles Darwin

unread,

Feb 16, 2003, 6:58:48 PM2/16/03

to

Chris:

Snort -W shows that I have currently 5 interfaces.
Which one would $_ADDRESS be referring to?

BTW, would you make available the updated pre-build binaries from Snort 1.9?

Best regards,

Paulo Santos Perneta <pper...@netmadeira.com>

----- Original Message -----
From: "Chris Reid" <Chris...@CodeCraftConsultants.com>

> $_ADDRESS. If you update your source code as of today, from either a
daily
> tarball, or by grabbing source from CVS, use the "quoting" with
parentheses.
>

-------------------------------------------------------

Charles Darwin

unread,

Feb 16, 2003, 7:48:10 PM2/16/03

to

----- Original Message -----
From: "Chris Reid" <Chris...@CodeCraftConsultants.com>

> So, if you are using an existing snort distribution from before today,
use

> $_ADDRESS. If you update your source code as of today, from either a
daily

When I use:

var HOME_NET $_ADDRESS

I get:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (./snort.conf:47): _ADDRESS
Fatal Error, Quitting..

This does not seems to be working either :-\

Paulo Santos Perneta <pper...@netmadeira.com>

Chris Reid

unread,

Feb 16, 2003, 10:52:51 PM2/16/03

to

I'm truly having a difficuly time typing today... One last time (and not
forgetting the backslash...)

var HOME_NET $(\_ADDRESS)

Sorry, everybody.

----- Original Message -----
From: "Chris Reid" <Chris...@CodeCraftConsultants.com>

To: "Charles Darwin" <dar...@netmadeira.com>; "Snort-Users (E-mail)"
<snort...@lists.sourceforge.net>
Sent: Sunday, February 16, 2003 7:59 PM
Subject: [Snort-users] RE: Difficulty setting HOME_NET to my interface
address

> Oops, you are correct. That should have in fact been:
>
> var HOME_NET $(_ADDRESS)
>
> I will be making new binary distributions available on my website tonight
> (both 1.9 and 2.0) which will correctly populate the full variable name
when
> it is being automatically created. You can feel free to use these until
> updated "official" binary distributions are available from snort.org.
>
> Chris Reid

>
>
> ----- Original Message -----
> From: "Charles Darwin" <dar...@netmadeira.com>
> To: "Snort-Users (E-mail)" <snort...@lists.sourceforge.net>
> Sent: Sunday, February 16, 2003 5:15 PM
> Subject: [Snort-users] RE: Difficulty setting HOME_NET to my interface
> address
>
>

Chris Reid

unread,

Feb 16, 2003, 10:57:46 PM2/16/03

to

L. Christopher Luther

unread,

Feb 16, 2003, 11:49:08 PM2/16/03

to

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2D63A.5E186720
Content-Type: text/plain;
charset="windows-1252"

As noted in one of my previous posts, DefineIfaceVar() (at least in my
testing w/ Snort 1.8.6 and 1.8.7) actually creates a variable called
'$\_ADDRESS', not '$_ADDRESS'.

I've not tested Chris Reid's quoting suggestion, but you could try:

var HOME_NET $(\_ADDRESS)

and see what happens. Good luck.

Cheers!
- Christopher

-----Original Message-----
From: Paulo Santos Perneta [mailto:pper...@netmadeira.com]

Sent: Sunday, February 16, 2003 7:07 PM
To: Chris Reid; Erek Adams
Cc: Snort-Users (E-mail); L. Christopher Luther
Subject: Re: [Snort-users] RE: Difficulty setting HOME_NET to my
interface address

----- Original Message -----
From: "Chris Reid" <Chris...@CodeCraftConsultants.com>

> So, if you are using an existing snort distribution from before today, use
> $_ADDRESS. If you update your source code as of today, from either a
daily

When I use:

var HOME_NET $_ADDRESS

I get:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (./snort.conf:47): _ADDRESS
Fatal Error, Quitting..

This does not seems to be working either :-\

Paulo Santos Perneta <pper...@netmadeira.com>

------_=_NextPart_001_01C2D63A.5E186720

Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dwindows-1252">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Difficulty setting HOME_NET to my interface address</TITLE>
</HEAD>
<BODY>

As noted in one of my previous posts, =
DefineIfaceVar() (at least in my testing w/ Snort 1.8.6 and 1.8.7) =
actually creates a variable called '$\_ADDRESS', not '$_ADDRESS'.  =

I've not tested Chris Reid's quoting suggestion, but =
you could try:

var HOME_NET $(\_ADDRESS)

and see what happens.  Good luck.

Cheers!

- Christopher

-----Original Message-----
 From: Paulo Santos Perneta [<A =
HREF=3D"mailto:pper...@netmadeira.com">mailto:pper...@netmadeira.com</=
A>]

Sent: Sunday, February 16, 2003 7:07 PM
 To: Chris Reid; Erek Adams
 Cc: Snort-Users (E-mail); L. Christopher =
Luther
 Subject: Re: [Snort-users] RE: Difficulty setting =
HOME_NET to my
 interface address

----- Original Message -----
 From: "Chris Reid" =
<Chris...@CodeCraftConsultants.com>

> So, if you are using an existing snort =
distribution from before today, use
 > $_ADDRESS.  If you update your source code =
as of today, from either a
 daily

When I use:

var HOME_NET $_ADDRESS

I get:

+++++++++++++++++++++++++++++++++++++++++++++++++++
 Initializing rule chains...
 ERROR =3D> Undefined variable name: =

(./snort.conf:47): _ADDRESS
 Fatal Error, Quitting..

This does not seems to be working either :-\

Paulo Santos Perneta =
<pper...@netmadeira.com>

</BODY>
</HTML>
------_=_NextPart_001_01C2D63A.5E186720--

Paulo Santos Perneta

unread,

Feb 17, 2003, 11:04:54 AM2/17/03

to

----- Original Message -----
From: "Chris Reid" <Chris...@CodeCraftConsultants.com>

> So, if you are using an existing snort distribution from before today, use
> $_ADDRESS. If you update your source code as of today, from either a
daily

When I use:

var HOME_NET $_ADDRESS

I get:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (./snort.conf:47): _ADDRESS
Fatal Error, Quitting..

This does not seems to be working either :-\

Paulo Santos Perneta <pper...@netmadeira.com>

-------------------------------------------------------